For today's GSS, I think it would be reasonable to assume that if the
authenticated flag is true, and the context is within the sorts of
contexts we're talking about for Moonshot, SAML and SAML-EC, then the
issuer is the same issuer who issued the identity.
The assumption about context may be unnecessary; take a look at the
definition of the authenticated flag in naming extensions.
Determining who that is is tricky. For gss-eap and krb5 parsing the
initiator name and saying the attribute is issued by the realm in
question is fine. I'd expect that when we add multiple attribute
sources either the attributes will be aggregated and re-signed by the
IDP (in which case think it is reasonable to treat them as issued by the
IDP) or they will have a different context and thus different name
prefix. We can also add functions for getting issuers at that point.
--Sam
|